June 09, 2006
Information Security Program
TO: Licensee, Board of Directors, Executive Officers
SUBJECT: Information Security Program
DFI is providing the following information to state-chartered financial institutions as a reminder of the requirement for financial institutions to develop and implement a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider.
Note: The Board of Directors or a designated committee is responsible for an Information Security Program that meets the Information Security Guidelines (Part 364-B FDIC Rules and Regulations).
Guidance for an Information Security Program is available from the FDIC Web site at http://www.fdic.gov/regulations/examinations/workprogram/
Information Security Programs should evaluate the following:
- Identify all reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.
- Consider the criticality of the information being protected in creating a risk mitigation strategy.
- Review the institution's existing controls to mitigate risks. Does the institution's analysis consider the current administrative, physical, and technical safeguards that prevent or mitigate potential damage?
- Determine whether all applicable policies address any new products, services, or delivery channels impacted by electronic capabilities including encryption of data on all computers.
An overview on managing information technology risks will be provided as part of the FDIC's 2006 Directors' College Program.
- Emerging and prevalent technology risks facing financial institutions and the control structures directors should oversee to manage those risks.
- Components of an effective information security program that complies with the Gramm-Leach-Bliley Act and director responsibilities associated with several new regulatory directives.
- Effective vendor oversight and disaster recovery lessons learned from the Katrina hurricane will be highlighted.
- Discussion on the FDIC's new IT-Risk Management Program used by examiners to evaluate the bank's technology environment with its focus on the risk assessment process and audit.
For additional information including dates and locations: http://www.fdic.gov/regulations/resources/directors_college/sf/.